Thanks for the reply, I have control of the CA in creating certificates. The CRL contains the SN of the certs that are revoked. I also noticed we have an SRL file which shows the last SN used for the certificates and it increments by 1 for every certificate created. You said: "Having the same serial on CA2 as on CA1 is totally irrelevant." Does that mean the CRL goes by more than the SN? I was thinking of doing this: edit the SRL and replace it with the SN of the revoked cert, after using it i revert back to the correct SN pattern.
If the CRL does need to have a perfect match to treat the created cert as a "revoked cert" do i need to create a perfect replication in terms of all input parameters or the CRL will be smart enough to know they are still different? thanks --- On Tue, 11/17/09, Dave Thompson <[email protected]> wrote: > From: Dave Thompson <[email protected]> > Subject: RE: how to create an already revoked certificate? > To: [email protected] > Date: Tuesday, November 17, 2009, 4:06 PM > > From: [email protected] > On Behalf Of Al > > Sent: Monday, 16 November, 2009 15:40 > > > I am trying to create a certificate that is already > revoked > > (for testing purposes). I noticed the CRL has the SNs > of the > > certificates and i am wondering if i could set the SN > to > > Yes, certs are identified for many purposes, including > revocation on a CRL, by serial within CA. > > > revoked cert SNs during new certificate creation? > > > This is not entirely clear; I assume you mean create a new > cert > with a serial that is already on a CRL issued by the (same) > CA. > (You can't change the serial on an issued cert; it's part > of the > signed content. You legally could create/issue a new cert, > > with new CA/serial, and all other contents the same as an > existing cert, even validity. But it's usual to redo the > validity. > Having the same serial on CA2 as on CA1 is totally > irrelevant.) > > If you control the CA, maybe; it depends on what the CA > software > does. A CA is not SUPPOSED to ever issue different certs > with > the same serial, but you may be able to override or fake > yours. > openssl ca|x509(ca)depend on text files you can clobber; > openssl req(self)|x509(self) obey the command line. > > If you do create two (or more) certs with the same serial, > and > both (or multiple) of them are ever present in any > environment, > you have a very good chance of creating chaos. The purpose > of > the serial is to uniquely identify the cert within a given > CA, > and lots of software assumes this. If there are two > different > certs with the same serial for the same CA, all kinds of > things > can go wrong that you can spend months debugging. > > But if you control the CA, you should be able to easily > issue > a new CRL about as easily as you can issue a new cert. > > If you don't control the CA, and it is competently run, no. > It > will always create new certs with unique serials, as it > should. > > > > ______________________________________________________________________ > OpenSSL Project > > http://www.openssl.org > Development Mailing List > [email protected] > Automated List Manager > > [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
